diff options
| author | Julien Tinnes <[email protected]> | 2009-07-10 17:46:30 +0000 |
|---|---|---|
| committer | James Morris <[email protected]> | 2009-07-12 22:01:47 +0000 |
| commit | b3a633c8527ef155b1a4e22e8f5abc58f7af54c9 (patch) | |
| tree | 4d5e16c82db298320c3515dca9f6eeca27164b3b /security/selinux/hooks.c | |
| parent | SELinux: Convert avc_audit to use lsm_audit.h (diff) | |
| download | kernel-b3a633c8527ef155b1a4e22e8f5abc58f7af54c9.tar.gz kernel-b3a633c8527ef155b1a4e22e8f5abc58f7af54c9.zip | |
personality handling: fix PER_CLEAR_ON_SETID for security reasons
We have found that the current PER_CLEAR_ON_SETID mask on Linux
doesn't include neither ADDR_COMPAT_LAYOUT, nor MMAP_PAGE_ZERO.
The current mask is READ_IMPLIES_EXEC|ADDR_NO_RANDOMIZE.
We believe it is important to add MMAP_PAGE_ZERO, because by using
this personality it is possible to have the first page mapped inside a
process running as setuid root. This could be used in those scenarios:
- Exploiting a NULL pointer dereference issue in a setuid root binary
- Bypassing the mmap_min_addr restrictions of the Linux kernel: by
running a setuid binary that would drop privileges before giving us
control back (for instance by loading a user-supplied library), we
could get the first page mapped in a process we control. By further
using mremap and mprotect on this mapping, we can then completely
bypass the mmap_min_addr restrictions.
Less importantly, we believe ADDR_COMPAT_LAYOUT should also be added
since on x86 32bits it will in practice disable most of the address
space layout randomization (only the stack will remain randomized).
Signed-off-by: Julien Tinnes <[email protected]>
Signed-off-by: Tavis Ormandy <[email protected]>
Acked-by: Christoph Hellwig <[email protected]>
Acked-by: Kees Cook <[email protected]>
Signed-off-by: James Morris <[email protected]>
Diffstat (limited to 'security/selinux/hooks.c')
0 files changed, 0 insertions, 0 deletions